Hello friends, this is the first of two, possibly three (if and when I have time to finish the Windows research) writeups. We will start with targeting GNU/Linux systems with an RCE. As someone who’s
I have cups (but not cups-browsed) installed, but I only start the service when I need to print something a few times a year.
Until then it is only a binary sitting in a folder, nothing more.
Yes, but exactly that was/is the issue of this bug. cups-browsed was attaching itself to every available IP on the system.
And cups-browsed can’t only be bind to localhost, it would defeat the whole purpose of that tool. For it to be able to find other printers in the network it needs to be bound to a non-localhost-IP address.
So, not much to sandbox
I have cups (but not cups-browsed) installed, but I only start the service when I need to print something a few times a year. Until then it is only a binary sitting in a folder, nothing more.
Honestly it isn’t a big deal if you just use it on local host. Just make sure cups is sandboxes like it should be. (Systemd)
Yes, but exactly that was/is the issue of this bug. cups-browsed was attaching itself to every available IP on the system. And cups-browsed can’t only be bind to localhost, it would defeat the whole purpose of that tool. For it to be able to find other printers in the network it needs to be bound to a non-localhost-IP address. So, not much to sandbox